hxxp://canarytokens[.]com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact[.]php

Resubmissions

02/08/2023, 15:51 UTC

230802-takwkafd75 1

02/08/2023, 15:47 UTC

230802-s76zmafd63 1

Analysis

max time kernel
13s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 15:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4548	msedge.exe
4548	msedge.exe
548	identity_helper.exe
548	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1080	4548	msedge.exe	19
PID 4548 wrote to memory of 1080	4548	msedge.exe	19
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 2696	4548	msedge.exe	84
PID 4548 wrote to memory of 4416	4548	msedge.exe	82
PID 4548 wrote to memory of 4416	4548	msedge.exe	82
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83
PID 4548 wrote to memory of 2256	4548	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c20a46f8,0x7ff9c20a4708,0x7ff9c20a4718
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14864768570002922837,12910427674645990802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

Network

DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

canarytokens.com

msedge.exe

Remote address:

8.8.8.8:53

Request

canarytokens.com

IN A

Response

canarytokens.com

IN A

52.18.63.80
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:35 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:40 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:44 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:48 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:50 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:52 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:54 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://canarytokens.com/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:80

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Wed, 02 Aug 2023 15:51:56 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://canarytokens.org/resources/favicon.ico
GET

http://fonts.googleapis.com/css?family=Comfortaa

msedge.exe

Remote address:

216.58.208.106:80

Request

GET /css?family=Comfortaa HTTP/1.1
Host: fonts.googleapis.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: text/css,*/*;q=0.1
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Content-Type: text/css; charset=utf-8
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
Link: <http://fonts.gstatic.com>; rel=preconnect; crossorigin
Expires: Wed, 02 Aug 2023 15:51:33 GMT
Date: Wed, 02 Aug 2023 15:51:33 GMT
Cache-Control: private, max-age=86400, stale-while-revalidate=604800
Last-Modified: Wed, 02 Aug 2023 15:51:33 GMT
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin-allow-popups
Content-Encoding: gzip
Transfer-Encoding: chunked
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
DNS

80.63.18.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.63.18.52.in-addr.arpa

IN PTR

Response

80.63.18.52.in-addr.arpa

IN PTR

ec2-52-18-63-80 eu-west-1compute amazonawscom
DNS

126.134.241.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.134.241.8.in-addr.arpa

IN PTR

Response
GET

http://fonts.gstatic.com/s/comfortaa/v40/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4WjMDrMfIA.woff2

msedge.exe

Remote address:

142.250.179.131:80

Request

GET /s/comfortaa/v40/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4WjMDrMfIA.woff2 HTTP/1.1
Host: fonts.gstatic.com
Connection: keep-alive
Origin: http://canarytokens.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Referer: http://fonts.googleapis.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 12028
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 29 Jul 2023 13:47:46 GMT
Expires: Sun, 28 Jul 2024 13:47:46 GMT
Cache-Control: public, max-age=31536000
Last-Modified: Fri, 24 Jun 2022 19:17:50 GMT
Content-Type: font/woff2
Age: 353028
DNS

106.208.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.208.58.216.in-addr.arpa

IN PTR

Response

106.208.58.216.in-addr.arpa

IN PTR

ams17s08-in-f101e100net

106.208.58.216.in-addr.arpa

IN PTR

sof01s11-in-f106�I
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

canarytokens.org

msedge.exe

Remote address:

8.8.8.8:53

Request

canarytokens.org

IN A

Response

canarytokens.org

IN A

52.18.63.80
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:36 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:40 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:44 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:48 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:50 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:52 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:55 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
GET

https://canarytokens.org/resources/favicon.ico

msedge.exe

Remote address:

52.18.63.80:443

Request

GET /resources/favicon.ico HTTP/1.1
Host: canarytokens.org
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://canarytokens.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Aug 2023 15:51:56 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 8992
Connection: keep-alive
Accept-Ranges: bytes
Last-Modified: Fri, 21 Jul 2023 15:02:12 GMT
DNS

apps.identrust.com

msedge.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

23.72.252.171

a1952.dscq.akamai.net

IN A

23.72.252.163
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

msedge.exe

Remote address:

23.72.252.171:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Wed, 08 Feb 2023 16:52:56 GMT
ETag: "37d-5f433188daa00"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Wed, 02 Aug 2023 16:51:36 GMT
Date: Wed, 02 Aug 2023 15:51:36 GMT
Connection: keep-alive
DNS

171.252.72.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.252.72.23.in-addr.arpa

IN PTR

Response

171.252.72.23.in-addr.arpa

IN PTR

a23-72-252-171deploystaticakamaitechnologiescom
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response

52.18.63.80:80

http://canarytokens.com/resources/favicon.ico

http

msedge.exe

9.9kB
37.5kB
44
48

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301

HTTP Request

GET http://canarytokens.com/stuff/csyvn8lv2uue13cib4gqnwuo7/contact.php

HTTP Response

200

HTTP Request

GET http://canarytokens.com/resources/favicon.ico

HTTP Response

301
52.18.63.80:80

canarytokens.com

msedge.exe

190 B
92 B
4
2
216.58.208.106:80

http://fonts.googleapis.com/css?family=Comfortaa

http

msedge.exe

647 B
1.4kB
6
5

HTTP Request

GET http://fonts.googleapis.com/css?family=Comfortaa

HTTP Response

200
142.250.179.131:80

http://fonts.gstatic.com/s/comfortaa/v40/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4WjMDrMfIA.woff2

http

msedge.exe

894 B
13.3kB
10
13

HTTP Request

GET http://fonts.gstatic.com/s/comfortaa/v40/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4WjMDrMfIA.woff2

HTTP Response

200
52.18.63.80:443

https://canarytokens.org/resources/favicon.ico

tls, http

msedge.exe

7.2kB
81.4kB
50
69

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200

HTTP Request

GET https://canarytokens.org/resources/favicon.ico

HTTP Response

200
23.72.252.171:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

msedge.exe

370 B
1.6kB
5
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
142.250.179.131:80

fonts.gstatic.com

190 B
92 B
4
2

8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

canarytokens.com

dns

msedge.exe

62 B
78 B
1
1

DNS Request

canarytokens.com

DNS Response

52.18.63.80
8.8.8.8:53

80.63.18.52.in-addr.arpa

dns

70 B
131 B
1
1

DNS Request

80.63.18.52.in-addr.arpa
8.8.8.8:53

126.134.241.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.134.241.8.in-addr.arpa
8.8.8.8:53

106.208.58.216.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

106.208.58.216.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

canarytokens.org

dns

msedge.exe

62 B
78 B
1
1

DNS Request

canarytokens.org

DNS Response

52.18.63.80
8.8.8.8:53

apps.identrust.com

dns

msedge.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

23.72.252.171

23.72.252.163
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

171.252.72.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

171.252.72.23.in-addr.arpa
224.0.0.251:5353

msedge.exe

570 B
9
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b950ebe404eda736e529f1b0a975e8db

SHA1
4d2c020f1aa70e2bcb666a2dd144d1f3588430b8

SHA256
bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4

SHA512
6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8bc49afb5eab8736497ea2254213401e

SHA1
30c2cf8026c45d9c5b7ccc3735f8a208488a9027

SHA256
17a77be45d158b86d8df6ec0bad37e3776cc387abbfa7172ecf51a139cebda76

SHA512
c9591dc555778badd0dc62bcecfb0e0948b346b37af492321b6e9414df759c57a2574c862811cf8b3035b8a85c8d355b443663422fb71eda0000556e03872ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d4a13f5af8cd3b6b02b315e4549e215d

SHA1
99a29fb996120536a8f13e18820c8d824516cf9e

SHA256
97aab63c685c855c173c8b071d27a319f375f0810898f2d0ca53d6834e46d7eb

SHA512
560e48624f457dbca0a9d04fe7201b8a607db662f4466528b66d56b3335421b157d320cc899b8f8f8b6e5ba4b550e2759e234ff5f668924160ab4b6626b238f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7c556925bbd7dbc170cd37e2caaf7c5

SHA1
bd18bcc31dd1d4f6c1ae35bba9c59f9b5001d870

SHA256
3bc3932bddbae08ab1ed985f88843d333dd7ffc58ea3d09035550ef5f78b94de

SHA512
341b90266ee154cce08688eb6c91fe0b989d04e07b42b8f58c39ad66f3e6b99e43521ef8be67c65ef6eefd580243ba465a2b0132d09cb46c218bfaf3c630ae8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0be8cf5ef908755832825d8d3e8272f

SHA1
d0027cfa7e0663faa7550b32213c611bb50894e9

SHA256
2b14d6b2d99b5ffc267a10be209a730c60722d9b9641d1d15f000a00addbddd0

SHA512
28b7242c6b14b8d77c5d38ec0e318a37a99947c1b18778a8c0f534773c75d13d653c549f04443f9d4f9743f371e6cec15a199ceb6cae6667f10881615ee99f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ca36933e6dea7aa507a272121b34fdbb

SHA1
3b4741ca0308b345de5ecf6c3565b1dbacb0fb86

SHA256
fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d

SHA512
5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f432f9ba408aad6ddc216819a69d6c62

SHA1
2ed303359809a524cdcb59f29600c70521869bb0

SHA256
7b0a7b555ee03e8fff391f0cb2c141cfd5da2578aa8b6b321b4e989145d86ba8

SHA512
6073f3808c84ef670dee2a7fc53219c2aeecc28066910c95d10102a8253679f933a5a6a55feb3ca2cf2de3157f948420f24c603a38b40b3a4a1d7da9a59f9e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
04e01ded2deb45396180efd8e153a3ce

SHA1
3484af18ad93e5de0abc03f6bf3f11795a94c172

SHA256
1173c497d06bfbb63f0431c77e7044a98764a264acec2280818f5af1bdb15828

SHA512
8b0064d9917d393be5736eafe949b3d94ed3941a31a57e5fce7e0a157f761b66abc87252caab8eac1a2e2fe12deb78d59ed1796059eaf0962b8ad28f3b07e6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6dc48c783ffbd913b0bef5ea705964ee

SHA1
0742a6b33c8f98e5d846b8f8349523171213faef

SHA256
b4b80668b434484e17c500915b7ac2d07cff25a1a90b2c447c23cce8433129e0

SHA512
f748f84b96535c557d1502737890afcf94808442aa1bc2f6d65fd6fadfca9b7ee1ece27aa9cf287ea3c99c221e55b8c0f8aade876e33dc1205d68c1e7d4afe7c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request